Example: Configuring DSCP Rules in an IDP Policy

Requirements

Before you begin:

• Configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices .
• Enable IDP application services in a security policy. See Example: Enabling IDP in a Security Policy.
• Create security zones. See Example: Creating Security Zones.
• Define rules. See Example: Inserting a Rule in the IDP Rulebase .

Overview

Configuring DSCP values in IDP policies provides a method of associating CoS values—thus different levels of reliability—for different types of traffic on the network.

This example shows how to create a policy called policy1, specify a rulebase for this policy, and then add rule R1 to this rulebase. In this example, rule R1:

• Specifies the match condition to include any traffic from a previously configured zone called trust to another previously configured zone called untrust. The match condition also includes a predefined attack group called HTTP - Critical. The application setting in the match condition is specified as the default and matches any application configured in the attack object.
• Specifies an action to rewrite the CoS field in the IP header with the DSCP value 50 for any traffic that matches the criteria for rule R1.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

1. Create a policy by assigning a meaningful name to it.
   [edit]user@host# edit security idp idp-policy base-policy
2. Associate a rulebase with the policy.
   [edit security idp idp-policy base-policy]user@host# edit rulebase-ips
3. Add rules to the rulebase
   [edit security idp idp-policy base-policy rulebase-ips]user@host# edit rule R1
4. Define the match criteria for the rule.
   [edit security idp idp-policy base-policy rulebase-ips R1]user@host# set match from-zone trust to-zone untrust source-address any destination-address any application default
   user@host# set match attacks predefined-attack-group “HTTP - Critical”
5. Specify an action for the rule.
   [edit security idp idp-policy base-policy rulebase-ips R1]user@host# set then action mark-diffserv 50
6. Continue to specify any notification or logging options for the rule, if required.
7. Activate the policy.
   [edit]user@host# set security idp active-policy base-policy

Results

From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

• Verifying the Configuration

Verifying the Configuration

Purpose

Verify that the DSCP values were configured in an IDP policy.

Action

From operational mode, enter the show security idp status command.